The great $45m bank cyber-heist: Seven New Yorkers cuffed

Crooks allegedly stole $45m in hours from ATMs after hacking into a database of prepaid debit cards.

The gang created counterfeit cards using the data swiped from two Middle Eastern banks, investigators claim, and emptied the compromised accounts of greenbacks as quickly as possible – thus minimising the possibility that the scam would be detected in time to block the cards and foil the plot. As well as lifting the data, the gang is said to have used other hacking techniques to boost their cash-withdrawal limits.

Eight people are accused of being members of the New York cell of the operation, which allegedly withdrew $2.8m in cash from hacked accounts. They were named as suspects in an indictment unsealed on Thursday. All of them, we're told, live in Yonkers, New York.

Seven of the defendants have been arrested and charged "variously with conspiracy to commit access device fraud, money laundering conspiracy, and money laundering," according to the Feds.

The first to be cuffed tried to flee from the US to the Dominican Republic on March 27, according to a US Department of Justice statement on the case.

The indictment also charges an eighth defendant, Alberto Yusi Lajud-Peña (aka Prime and Albertico), 25, who was reportedly murdered late last month in the Dominican Republic. It is understood that Lajud-Peña was shot dead at his house while playing dominoes with friends about two weeks after returning home from the US. He was named by US investigators as the leader of the New York cell. Lajud-Peña's murder by two masked men was allegedly motivated by disputes over how to split the loot from the digital heist, according to local news outlet La Nacion Dominicana.

It is alleged that the e-robbery was known to denizens of the internet underworld as "Unlimited Operation" – prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates, and the Bank of Muscat, Oman, were drained of cash in the hack, according to prosecutors.

We're told the main hacking phase of the operation ran between October 2012 and April 2013. During this period, cybercrooks as said to have distributed stolen prepaid debit card numbers to trusted associates in 26 countries around the world.

These associates are said to have operated cells – or teams of "cashers" – encoding magnetic stripe cards, such as gift cards, with the compromised debit card data. The subsequent release of PINs for hacked accounts fired the starting gun for a coordinated, international cash out operation involving cash withdrawals from ATMs across the globe, investigators say.

Two separate cash-out operations occurred on December 22, 2012 against RAKBANK, and on 19 February into the early hours of 20 February against Bank of Muscat. Before the pull was spotted by RAKBANK and its unnamed Indian card processor, it had suffered $5m in losses through more than 4,500 ATM fraudulent transactions in 20 countries. Bank of Muscat was hit even harder with $40m in losses through 36,000 fraudulent ATM transactions in 24 countries.

"From 3pm on February 19 through 1.26am on February 20, the defendants and their co-conspirators withdrew approximately $2.4 million in nearly 3,000 ATM withdrawals in the New York City area," according to the Feds.

The fraud was carried out against just 12 no-limits compromised accounts at the Bank of Muscat, and prompted an official statement by the bank to the stock exchange in Oman in late February, as we reported at the time.

When the fraud was detected and the cards cancelled, the casher cells are said to have laundered the proceeds, often through the purchase of luxury goods such as expensive watches and sports cars, before keeping a proportion for themselves and kicking money back up to the cybercrime kingpins and hackers masterminding the scam. If the Feds know where the real masterminds of the scam are located, they aren't saying – at least for now.

US authorities have seized hundreds of thousands of dollars in cash and bank accounts, two Rolex watches and a Mercedes SUV, and are in the process of seizing a Porsche Panamera, all linked to the scam.

The investigation into the cyberfraud was led by the US Secret Service, which worked with MasterCard, RAKBANK, and the Bank of Muscat in unravelling the scam, as well as law enforcement agencies in Japan, Canada, Germany, and Romania, and authorities in the United Arab Emirates, Dominican Republic, Mexico, Italy, Spain, Belgium, France, the United Kingdom, Latvia, Estonia, Thailand, and Malaysia.

Prepaid debit cards are used by many employers to pay staff, and by charitable organizations to distribute disaster-assistance funds.

The Unlimited Operations mega-scam may have been the biggest of its type, but it's not the first time cybercrooks have looted prepaid debit card accounts after hacking into bank databases. Much the same methodology was employed in a ATM fraud against cards issued by RBS WorldPay in November 2009 that netted crooks $9m, for example, as cybercrime blogger Gary Warner noted.

Costin Raiu, director of global research & analysis team at Kaspersky Lab, commented: "This is no doubt one of the biggest and quickest thefts we have seen. So far, it seems no customers were affected, because the hackers targeted prepaid cards from certain banks, so the banks are the only victims. Nevertheless, it's a VERY serious incident and it raises a lot of questions about the security of the current payment systems."

Raiu added that the success of the attack relied on the use of mag-stripe technology instead of harder-to-forge plastic smartcards in many countries in the world.

"I'd like to draw the attention to the fact that in US, the insecure magnetic stripe is still used when performing payments with cards; this has been mostly abandoned everywhere in Europe and replaced by the more secure chips," Raiu said.

"The cybercriminals specialised in carding focus on replicating real cards on 'blank' cards by reprogramming the magnetic stripe," he added. "A lot of these attacks would go away by getting rid of the stripe and updating the US payment systems to use the chips. Even then, it's true that the attacks won't go away, but they will for sure decrease or become a lot harder. I believe it makes sense for the banks to invest into upgrading the cards in the US and worldwide." ®